Hello, please consider this a documentation issue and resolve: The Ubuntu server guide page "Certificates and Security" at https://help.ubuntu.com/lts/serverguide/certificates-and-security.html does not say which file can be used as a certificate chain, such as for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf -- I can not find any information on this issue, and some browsers apparently block the action (even though users would normally just store an exception for a self-signed certificate, the browser also notices that there is not complete information about the server since Apache was not given a chain file PEM format--this browser issue is reported by some people on the internet when searching google for "chain file required apache"). Apache says it wants "a file containing the concatenation of PEM encoded CA certificates which form the certificate chain for the server certificate", so one could blindly add the pem file generated during the "Certification Authority" section of the page, which does not say whether that is a certificate chain file or how to generate a certificate chain file. Following the instructions and assuming the pem file can be given to Apache may or may not be a security risk, and it is the only pem file that the page gives instructions on how to generate (feel free to uncheck this as a security risk if following the server guide page then giving that pem file to Apache does not result a security risk).
Please update the page on ubuntu.com (link above) to clarify that the pem file is a chain file that can be used for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf or to clarify how to generate a chain file.
I removed the security aspect of this bug. Only the security team should use that.